Leveraging Process Framework in Financial Compliance

2010 APQC Member Meeting November 4, 2010 BA Brooks , Mgr Services, Marathon

1 Discussion Topics

 Initial use of framework in SOX 404 documentation

 Expanded use in 2007 across compliance initiatives, enterprise content , and major management

 Continued use of process framework in initiatives

2 Original Issue

 In mid-2003 collected considerable amount of unstructured process and controls documentation – Used process based templates, but limited process knowledge in business resulted in less than optimal results – Difficult to access gaps in documentation – Difficult to access gaps in controls – External auditor questions on early documentation results  Solution: Developpp process framework and correlate documentation to framework – Reviewed several frameworks, including APQC, and custom designed framework – Process, sub-process, business activity, risk, controls

3 Process Framework - 2004

Plan & Provide Provide Manage Decision Corporate Business Support Governance

Perform Refine & Operate Perform Transport Market Well Produce Retail Exploration Products Products Prodiduction Products Outlets

Manage, Manage Manage Manage Manage Calculate Maintain Health, Programs & Supply & Reserves Assets & Environment Trading Trading Facilities & Safety

Manage Provide Procure Manage Manage Customs & Manage Control Customer Materials & Support Human Foreign Logistics Inventory Support Services Services Resources Zones

Manage Manage Account for Manage Manage Manage IT Capital & In-House Revenue Accounting Risk Credit Documentation Hierarchy

 Process – Sub-process . Location – Business Activity • Control Objective (with attributes, e.g., COSO Control Objective Type, Control Objective Priority (Risk), Related Account Balance, Related Financial Disclosure ) - Control Activities (with attributes, ege.g, Enabler, Transactional Assertion, Assertion, Control Criticality, Control Type, Control Fre quenc y) Framework Utilization

 Scoping – Locations and processes – Critical applications  Risk Assessment  Documentation – Early tool-set, RCTS  Process maps  Aggregation  Segregation of duties analysis

6 Next Step in Evolution

 Enterprise Compliance Tool-set Implementation – SOX 404 driver – PCI – and ITGC operational compliance – Issue: how to organize data to achieve objective of documenting and testing controls once across multiple initiatives  Enterprise Content Management – Documentation structure  – Documentation structure

7 Adoption of APQC Framework

 Compliance, ECM, PM agreed to adopt form of APQC Upstream, Downstream Process Framework – ECM, PM have provided feedback to APQC on enhancement modifications  Compliance used a modified form of the two frameworks in new – Used first two nodes of APQC framework – Used terminology familiar to Company for ease of internal adoption – Cons is tency be tween Company an d APQC framewor k is numbering sequence

8 Latest Use of Process Framework

 Implementation of SAP and Sun Security Architecture – Automation of security provisioning – Re of SAP task roles – Design of functional and enterprise roles for provisioning through Sun tool – Utilized business process naming conventions for functional roles . Goal: greater understanding of security roles for supervision  Use process framework in developing testing scripts to ensure appropriate testing coverage

9 Key Learnings

 Adapt framework to your business rather than adapt business to the framework – Adapt terminology to wording more understandable to your company

 Can have successful adoption even if company does not have well established process ownership

 Can implement from bottom up rather than top down and can implement across enterprise when have collaboration among initiative leaders

 Understanding and acceptance improves over time – Think in verbs, not nouns

10 Business Benefits

 Improved use of rather than single initiative solutions

 Quicker assimilation into new workgroups

 Common language

11